SANS Digital Forensics and Incident Response Blog

For forensic analysts working in Windows environments, .lnk shortcut files and the thumbprint caches are valuable sources for details about missing data.

Individuals wanting to hide their activities may flush their browser cache, Temp files, use, and even wipe the drive free space. However, they may forget these two minor "tidbits". These can show detail, indicate actions and associated history. Be Warned, I have found Windows machines having thousands of .lnk files on a "scrubbed PC."

The shortcut (.lnk) file is an amazing mine of information for such a small file. This PDF (See Link) is an invaluable source describing the details of the shortcut .lnk. The shortcut file name format is usually name.ext.lnk There may be multiple .lnk files created for one file depending upon the type.

.lnk File properties show only a tip of available information. Compare the same Word 2007 Brains.docx.lnk file for XP and Windows 7. I use XVI32 as my hex-editor for details about the type of storage, location, Volume Serial number and much more.

Review the XP Hex dump example below. Then, compare the two different hex dumps of Windows 7 .lnk files. (You may need to zoom to inspect the images.) I did not include all of the first .lnk file hex.

Steven is the senior member of an IT Security team for a Bio-Pharma company. He has presented to a variety audiences including SANS, Midwest Consolidated Security Forum and various local chapters of HTCIA and ISACA. His current focus is Certificate Management, Encryption and Incident Response. With a science degree unrelated to IT, Steven has over 20 years in Information Technology with the past 13 years in Security. He has earned among the various vendor certificates, his CISSP (#3700), CISA (#153869) as well as GIAC G7799 (#151) Silver and GCFA (#18) gold certifications.

9 Comments

trustedsignal

Also check out Harlan Carvey's wonderful little utility lslnk.pl, which will parse lnk files and dump timestamps and volume information including volume serial number, if it was a removable volume, and more. Very useful and easier to read than hex dumps.

Albert

Mark Woan

Try lnkanalyser: http://www.woanware.co.uk/lnkanalyser/it is based on the official Microsoft link file shortcut specification, gets more information than most parsers e.g. NewObjectId Volumes and BirthObjectId Volumes.

Adam

While the document by Jesse Hager referenced is a great reference the one below from Microsoft will most likely be a little more accurate and probably will be updated more frequently.http://msdn.microsoft.com/en-us/library/dd871305(PROT.10).aspx

trustedsignal

Albert,Most posts are reviewed and edited as time permits. True that opening sentence is rough, but I think most folks get the meaning.We're not all prize winning authors. We are all volunteers working in the field, trying to share knowledge and experiences with others.

David

I have to agree with Albert. I'd take the extra 5 mins to properly proof read blog posts. The blog post will be online for years I guess. Also is it me or are the path's missing the slashes? I seem to recall this on previous SANS forensics blog posts. Makes it tough to read. thanks. %Drive%:Documents and SettingsUser IDApplication DataMicrosoftOfficeRecent

Dave Hull

I have cleaned up the opening sentence and hope it's easier to read now. As for the slashes in the path, they are in the original article, but when published in WordPress they were showing up as spaces. I believe I've corrected that, at least they show up in my browser now.

"For my line of work, basic &amp;amp; extensive understanding of the file system is extremely important. The literature and books on file systems for me are very critical &amp;amp; thanks you for them, great reference material"- Vince Ramirez, Las Vegas Metro P.D.